On Tue, 22 Sep 2009 17:50, bmea...@ieee.org said: > Thanks for the response. So EXPKEYSIG doesn't mean the key was expired > when the signature was made, right? If that shows up along with
It means that the key has expired by now. > VALIDSIG, it's ok to trust the signature, correct? What about That is up to you. Usually you would show a message stating that the key used to create the message meanwhile expired. Whether you take the signature creation date into account and show a different message is up to you. If a signer wants to use an expired key for signing he may as well change the signature creation time. > REVKEYSIG? If a key is revoked, is there an easy way to know if the > signature was made prior to revocation, or would it be necessary to > just compare the stamps on the signature and the revocation? There is no way becuase you don't know why the key was revoked. Sure the revocation signature allows to give a reason of revocation and you can take that in account, but if the key was compromised an attacker may also create a revocation with a different reasons (e.g. key superseded). You can't tell who did the revocation. Salam-Shalom, Werner -- Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users